The Federal Bureau of Investigation (FBI) has issued a new warning as to an email scam aimed at U.S. businesses. The scam is so simple that it is hard to believe, but that is why it works. Worse yet, once the business loses its money, recouping it through a bank or insurance carrier can be extremely difficult.
The scam works through the criminal getting into the middle of your email traffic. The fraudster intercepts legitimate emails, and then creates a fake one that is nearly identical. In many instances the fake email is merely one letter changed or added to the legitimate address.
For instance, take the hypothetical email firstname.lastname@example.org is transformed by the fraudster to email@example.com. That extra “s” makes all the difference. No one notices the new (but fake) email in an exchange, and soon enough, the parties are communicating through the criminal that controls the email conversation by being in the middle of it. In short, the criminal becomes the hub of a conversation controlling all of the information between the legitimate parties to the transaction. At some point, the fraudster issues instructions for payment, usually by wire transfer, and the funds go offshore and are long gone.
Do not be fooled by thinking this could not happen to you. Very sophisticated business people have been duped.
The FBI warning notes that either or both parties to a transaction can lose out in a man-in-the-email attack. Payment can be diverted to the criminal’s account, or the goods could be diverted to a different delivery location. In other words, the buyer can pay and never receive the goods or the seller can ship the goods and never receive payment. While the FBI’s alert is based on the scam targeting Seattle companies, this author is aware of three instances in Virginia this year.
This scam works very well in real estate transactions and international sales of merchandise or goods. In these types of transactions, the parties are usually in a hurry to complete the sale and there is a built-in level of trust. Down payments on commercial or high net worth residential property is stolen at the closing when the criminals get the funds diverted. In international sales, the wire transfer for payment is similarly misdirected.
The FBI provides some tips to help prevent being a victim of a “man in the middle” scam. First, all businesses should use secure email. Web-based email from free accounts is a very bad idea when conducting business. Those email systems are easily hacked or infiltrated. Better yet, use email that is encrypted when conducting business.
Second, businesses should develop verification procedures. If the wire transfer instructions come in by email, then they should be confirmed through a secondary procedure, such as a phone call between agreed upon contacts who will recognize each other on the call. Do not use the “reply” button. This is what the criminal is counting on because he is in the loop and can control the conversation. In particular, it is very difficult to pick-up on the fake email address on smartphones and Blackberry devices. The better practice, according to the FBI, is to forward the email to the contact and type in the address or insert it from your contact list.
Finally, be very suspicious. If the standard instructions for payment suddenly change, verify using a different method than email. If the payment is going to an account or location that does not make sense to the transaction, be careful. In some instances, these criminals make the payment to an account at a well-known U.S. financial institution. However, they quickly transfer the funds a second time offshore.
For example, if you are buying product from a Brazilian company, why are you suddenly being asked to wire the payment to a bank in Columbia? Or, if you are buying a million dollar home in Arizona, why are you being requested to transfer the funds to South Florida? Red flags are everywhere and verification is critical to prevent being a victim of this scam.
Once the funds go offshore it can be extremely difficult to claw back the money from the foreign banks. The more time that passes, the harder the process becomes for the issuing bank to retrieve your money. Moreover, banks are surprisingly secretive with the process and do not appear to cooperate with each other in this process.
If you think a crime insurance policy will save the day in these instances, think again. The potential for coverage is there, but it is not easy since coverage is very dependent on the facts of each scam and how it is perpetrated.
Crime policies do provide what initially looks like an impressive scope of coverage: a) employee theft; b) forgery or alteration; c) theft from your premises; d) theft while your money is in transit; e) fake money orders and counterfeit money; f) computer crime; g) funds transfer fraud; and h) personal account protection. But as with any contract, the devil is in the details. Most of these coverage terms are specifically defined in the policy. The definitions can specify the type of fraud, the required location of the crime, and who must be involved in the scam or crime in order for coverage to exist.
There are additional items to also watch for in crime coverage. These policies may carry sub-limits for certain aspects of losses that are below the general policy limits. These sub-limits can significantly reduce available policy limits when applied to the particular loss.
Crime policies are “claims-made” policies, which means that the loss generally must be reported within the policy period. Insureds cannot let themselves distracted by trying to claw back the funds and secure their operational systems to the detriment of filing a claim with their insurer, which is especially true as the end of the policy period approaches.
If a company is a victim of repeated fraudulent transfers within a short span of time, it is possible these losses will be treated as related. In that case, the company may find itself limited to a single policy limit for one claim. This can be highly problematic for an insured.
For example, let’s say that a policy provides $500,000 of coverage for a single loss. In one month, before the controller can sniff out the scam when reconciling the books, your company is hit with three instances of fraud where funds are stolen through a man-in-the-middle email scam totaling $1.5 million. If the insurer is able to deem these losses related, then the potential coverage is capped at $500,000.
Many an insured has come to this realization when it is too late. It is critical to analyze the coverage needs in terms of appropriate policy limits. Underinsured companies remain a huge problem in the business world.
Finally, these policies typically contain numerous exclusions to coverage. For example, Travelers Crime Policy has 28 separate exclusions to coverage. It is one thing to purchase a crime policy, but another to understand its terms and how it applies to a loss. Policyholders must be mindful of the scope of coverage in order to ensure they receive maximum coverage.
Combining crime and cyber coverage is critical in today’s technology-based world of transactions. Policyholders must understand their risk and how each of these types of insurance can protect them from criminal activity. This is particularly true for companies that handle funds for clients, use wire transfers in their business, maintain sensitive customer data, and/or have large computer networks. The combination of a strong crime policy joined with cyber coverage can provide the best source of recovery on a criminal loss.
The best protection, however, will always be operational security and risk management in your business practices. Preventing the loss in the first place is always a winning strategy.